Submitting patches for PIVToken.cpp bugs [Yubikey Neo]
Hi, I have been doing a little bit of debugging with the YubiKey Neo PIV card USB dongles on MacOSX (http://www.amazon.com/Yubico-Y-072-YubiKey-NEO/dp/B00LX8KZZ8/ref=sr_1_1? ie=UTF8&qid=1445630304&sr=8-1&keywords=Yubikey+neo). It looks like they aren't 100% PIV compliant, and they are falling over in PIVToken.cpp::probe()... byte_string cccOid((const unsigned char *)oidCardCapabilityContainer, oidCardCapabilityContainer + sizeof(oidCardCapabilityContainer)); byte_string cccdata; getDataCore(cccOid, "CCC", false, true, cccdata); PIVCCC ccc(cccdata); They do not return the CardCapabilityContainer here (although interestingly enough the other ADPU calls do return certificates at this point!). You can reproduce this by running opensc-explorer and issuing: apdu 0 cb 3f ff 5 5c 3 5f c1 7 This returns 0x6a82 (file not found). This call, however: apdu 0 cb 3f ff 5 5c 3 5f c1 5 Returns the X509 certificate correctly. If I disable the probe call to GetDataCore for the CardCapabilityContainer, the device works correctly in Safari. I have reported the issue to Yubico, but I am interested to see if you have any recommendations as to how to patch this in TokenD. You have a "GetDataExists" method in there which would prevent the exception. I guess that you need a unique ID for the smart card in probe though (would the CHUID be an alternative choice - that works?) Let me know what you thing! DDD
David, If you haven’t already, can you submit a tick4et for this and I’ll see what I can do. - Shawn _____________________________________________________________________ Shawn Geddis geddis at {Mac | Me | iCloud} dot com Security and Certifications Engineer, Apple geddis at { apple } dot com Smart Card Services Project/Dev Lead: Project Wiki: [http://smartcardservices.macosforge.org <http://smartcardservices.macosforge.org/>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org <mailto:scs-cotact@macosforge.org>] SCS Admin: [scs-admin@macosforge.org <mailto:scs-admin@macosforge.org>] _____________________________________________________________________
On Oct 23, 2015, at 1:09 PM, david.lloyd@fsmail.net wrote:
Hi,
I have been doing a little bit of debugging with the YubiKey Neo PIV card USB dongles on MacOSX (http://www.amazon.com/Yubico-Y-072-YubiKey-NEO/dp/B00LX8KZZ8/ref=sr_1_1? ie=UTF8&qid=1445630304&sr=8-1&keywords=Yubikey+neo).
It looks like they aren't 100% PIV compliant, and they are falling over in PIVToken.cpp::probe()...
byte_string cccOid((const unsigned char *)oidCardCapabilityContainer, oidCardCapabilityContainer + sizeof(oidCardCapabilityContainer)); byte_string cccdata; getDataCore(cccOid, "CCC", false, true, cccdata); PIVCCC ccc(cccdata);
They do not return the CardCapabilityContainer here (although interestingly enough the other ADPU calls do return certificates at this point!).
You can reproduce this by running opensc-explorer and issuing: apdu 0 cb 3f ff 5 5c 3 5f c1 7 This returns 0x6a82 (file not found).
This call, however: apdu 0 cb 3f ff 5 5c 3 5f c1 5
Returns the X509 certificate correctly.
If I disable the probe call to GetDataCore for the CardCapabilityContainer, the device works correctly in Safari.
I have reported the issue to Yubico, but I am interested to see if you have any recommendations as to how to patch this in TokenD. You have a "GetDataExists" method in there which would prevent the exception. I guess that you need a unique ID for the smart card in probe though (would the CHUID be an alternative choice - that works?)
Let me know what you thing!
DDD _______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
participants (2)
-
david.lloyd@fsmail.net
-
Shawn Geddis